[FEATURE] Alerting mail support html format

[yyd19921214]

I noticed the currently alerting plugin only support mail notification in plain/text format, Is there any plan to support html format mail?

[lezzago]

Moving this issue to Notification as that plugin owns the ability to send out notifications including emails.

[praveensameneni]

Targeting for 2.6

[gaobinlong]

There is a security issue if we want to implement this feature, html content in email may contain script, link and other dangerous elements which maybe destructive or leads to information leakage, so we must resolve the security problem firstly. There is a common solution to resolve the security problem, html sanitization strategy can be used to sanitize the user custom email content, such as removing the <script> </script> and parts to make sure the content received by the end-users is safe.

We can provide a switch for the html sanitization feature, by default the feature is enabled, and we can also provide html elements allow list and deny list to let users configure which html elements they think are secure or insecure, and we can set some default value for the allow list and deny list according to some user experience.

In order to implement the html sanitization, without reinventing the wheel, we can use a third-party library directly to sanitize the html content, there is an open source project called java-html-sanitizer can be used, the project is under OWASP(Open Worldwide Application Security Project) and is under Apache 2 license, so we can use it safely and freely. OWSAP provides free and open resources in the field of web application security, it’s safe to user their projects.

Here are some useful links about html sanitization:

Html sanitization wiki: https://en.wikipedia.org/wiki/HTML_sanitization
OWASP Java HTML Sanitizer introduction: https://owasp.org/www-project-java-html-sanitizer/
OWASP Java HTML Sanitizer GitHub repo: https://github.com/OWASP/java-html-sanitizer